NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月25日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
301	-	-	-	-	A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to pot… New	CWE-209 エラーメッセージによる情報漏えい	CVE-2026-3259	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

302	5.9	MEDIUM ネットワーク	-	-	A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient sec… New	CWE-94 コード・インジェクション	CVE-2026-3960	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

303	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell back… New	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-6885	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

304	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user. New	CWE-1390 脆弱な認証	CVE-2026-6886	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

305	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, mod… New	CWE-89 SQLインジェクション	CVE-2026-6887	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

306	7.5	HIGH ネットワーク	-	-	The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read… New	CWE-22 CWE-346 パス・トラバーサル同一生成元ポリシー違反	CVE-2026-6903	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

307	5.7	MEDIUM 物理	-	-	Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present… New	CWE-457 初期化されていない変数の使用	CVE-2025-13763	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

308	4.7	MEDIUM ネットワーク	-	-	An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-reques… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2025-66286	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

309	7.3	HIGH 隣接	-	-	Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implem… New	CWE-1390 脆弱な認証	CVE-2025-70994	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

310	-	-	-	-	An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections. New	CWE-754 例外的な状態における不適切なチェック	CVE-2026-35225	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

311	9.8	CRITICAL ネットワーク	-	-	SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized befo… New	CWE-89 SQLインジェクション	CVE-2026-41460	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

312	8.5	HIGH ネットワーク	-	-	SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is no… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41461	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

313	-	-	-	-	Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. New	-	CVE-2025-50229	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

314	9.8	CRITICAL ネットワーク	-	-	Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an opti… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2025-62373	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

315	9.8	CRITICAL ネットワーク	-	-	Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that i… New	CWE-306 CWE-441 重要な機能に対する認証の欠如解説フィルタリング回避	CVE-2026-23751	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

316	-	-	-	-	This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code executi… New	CWE-59 リンク解釈の問題	CVE-2026-33694	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

317	7.7	HIGH ネットワーク	-	-	Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() fun… New	CWE-129 配列インデックスの不適切な検証	CVE-2026-40886	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

318	5.3	MEDIUM ネットワーク	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, … New	CWE-789 過剰なサイズ値のメモリ割り当て	CVE-2026-40894	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

319	5.9	MEDIUM ネットワーク	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on … New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-41078	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

320	5.9	MEDIUM ネットワーク	-	-	The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies fr… New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-41173	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

321	-	-	-	-	Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is… New	CWE-22 パス・トラバーサル	CVE-2026-41205	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

322	5.9	MEDIUM ネットワーク	-	-	@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKC… New	CWE-307 CWE-1289 過度な認証試行の不適切な制限安全でない等式による入力の不適切な検証	CVE-2026-41213	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

323	8.7	HIGH ネットワーク	-	-	pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-41241	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

324	-	-	-	-	elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background … New	CWE-78 OSコマンド・インジェクション	CVE-2026-41247	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

325	-	-	-	-	Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfo… New	CWE-841 行動ワークフローの不適切な実施	CVE-2026-41259	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

326	-	-	-	-	A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful … New	CWE-35 パストラバーサル	CVE-2026-6074	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

327	8.1	HIGH ネットワーク	-	-	Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker… New	CWE-94 コード・インジェクション	CVE-2026-41246	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

328	-	-	-	-	LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels wit… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-25874	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

329	6.8	MEDIUM ネットワーク	-	-	SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTT… New	CWE-125 CWE-191 境界外読み取り整数アンダーフロー	CVE-2026-28525	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

330	-	-	-	-	A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an att… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-6375	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

331	-	-	-	-	A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This re… New	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-6376	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

332	7.1	HIGH ローカル	-	-	radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the … New	CWE-22 パス・トラバーサル	CVE-2026-6940	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

333	6.6	MEDIUM ローカル	-	-	radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malic… New	CWE-59 リンク解釈の問題	CVE-2026-6941	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

334	9.8	CRITICAL ネットワーク	-	-	KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authe… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-26210	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

335	-	-	-	-	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execut… New	CWE-943 データクエリロジックの特殊要素の不適切な中立化	CVE-2026-41274	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

336	6.1	MEDIUM ローカル	-	-	melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for exampl… New	CWE-22 パス・トラバーサル	CVE-2026-29050	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

337	4.4	MEDIUM ローカル	-	-	melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `me… New	CWE-22 パス・トラバーサル	CVE-2026-29051	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

338	7.6	HIGH ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API rou… New	CWE-89 CWE-184 SQLインジェクション不完全なブラックリスト	CVE-2026-31952	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

339	5.3	MEDIUM ネットワーク	-	-	go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a… New	CWE-190 整数オーバーフローまたはラップアラウンド	CVE-2026-32952	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

340	-	-	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote … New	CWE-22 パス・トラバーサル	CVE-2026-33076	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

341	-	-	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file re… New	CWE-22 パス・トラバーサル	CVE-2026-33077	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

342	6.4	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 … New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-31953	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

343	4.9	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-31955	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

344	4.3	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL t… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-31956	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

345	-	-	-	-	Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a seco… New	CWE-91 ブラインド XPath インジェクション	CVE-2026-32870	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

346	-	-	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/… New	CWE-89 SQLインジェクション	CVE-2026-33078	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

347	4.2	MEDIUM ネットワーク	-	-	FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot… New	CWE-193 境界条件の判定	CVE-2026-40254	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

348	-	-	-	-	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the … New	CWE-1336 テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-34587	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

349	-	-	-	-	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined … New	CWE-863 不正な認証	CVE-2026-40099	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

350	-	-	-	-	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined … New	CWE-863 不正な認証	CVE-2026-41325	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm